I think read-only access to a specific AP Group of devices may be best accomplished with the upcoming MSP feature combined with read-only users. The users would only have access to APs assigned to their MSP account.
Details are presented in the webinar posted here: